Tuesday, November 27, 2007

Apple Quicktime RTSP update

The newest one by Yag Kohha has refined the attack to an almost weaponized state. This means that anklebitters, bot masters, and a general assortment of unsavory types now have everything needed to easily take advantage of the flaw.

The developers of another PoC modified it after Symantec released a blog post declaring that standard buffer overflow protection will mitigate the vulnerability in some cases. The exploit has also been tweaked to work via a redirection attack on IE7, Firefox, and Opera. Safari on Windows seems left out, but that does not mean you are safe if you use Safari.

We are also receiving some scattered reports that it is showing up in the wild but have not been able to validate them. Because malicious code can be embedded so many different ways it is advisable to following the US CERT suggestions here or remove QuickTime completely.

Although the published exploits target Windows, the flaw is present in OSX so Apple users should be cautious as well.

An interesting note is the most robust of the exploits makes a derogatory mention of WabiSabiLabi Labs, the exploit auction site. WabiSabiLabi has a QuickTime exploit for sale now that lists QuickTime 7.2 and Windows XP as the targets. You have to wonder if this is another case of a researcher using vague details to find the same vulnerability.

Keep in mind that the analysis shows that all the exploits rely on a known offset for successful attack. ASLR could mitigate these attacks by changing the load address of components to make the attacks nothing more than Denial-of-Service. If Apple had enabled QuickTime to take advantage of ASLR in all of its components, this would be a non-issue. Instead they put you at risk.

UPDATE:

I thought a screen shot of what the warning message on Vista with IE7 looks like would be appropriate.